I bought proxy from a site in internet and I use it with one of my portable chromes for full security in this way: start GoogleChromePortable.exe --proxy-server="213.183.96.141:34682" On the proxy site it says it is http(s), the support told me it is https proxy. I use this proxy only for https sites. The question is: Am I secured in my case ? Is it possible my proxy provider eavesdrop some information from me ? Also how I can check if my proxy is https, because the provider can always lie to me? Thank you!
2 Answers
Under standard conditions, the connection between your browser and the proxy is always plain HTTP, so no HTTPS here.
Note that for an HTTPS connection from your browser to a website, the proxy only routes through the HTTPS traffic without being able to decrypt and/or eavesdrop. In other words: HTTTPS is end-to-end encrypted even across proxies, and this provides a major building block to the security of the protocol.
Well, having said this, it has to be remarked that all depends from the certificates you (or: your browser) trusts, and accepting some unknown certificates could lead to the proxy being able to play a man-in-the-middle even with HTTPS connections (among other types of attacks).
The certificate infrastructure is something like the Achilles heal of internet security, and there are endless discussions and assesments about it - more than I could detail in here. But as a end user, one important rule is to keep an eye on certificates, not accepting unknown ones easily and not accepting insecure connections.
-
A proxy is one of several way to break a secure HTTP connection. Of course this also requires the use of a self-signed certificate in order to have a browser indicate the connection is still secure. The only end to end encryption is between the proxy and the website. This means regardless if the connection between the user and the proxy was encrypted, a user with complete and total control over the proxy, could in theory intercept the data. In order to decrypt the data, that of course would require, the proxy to use a self-signed certificate and for the browser to trust that certificate– RamhoundCommented Aug 5, 2020 at 22:44
It may help to analyse the SSL certificate of your server to check if it has HTTPS enabled.
I suggest DigiCert.
